<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>Invoke-Mimikatz (PowerSploit)</title>
    <link rel="stylesheet" type="text/css" href="common/style.css" />
    <script language="JavaScript" type="text/javascript" src="common/script.js"></script>
  </head>
  <body>
    <h1 class="title">Invoke-Mimikatz (PowerSploit)</h1>
      <h2 class="toc"><a href="#toc" class="collapse" id="a-toc" onclick="showhide('toc');">-</a> <a name="toc">Table of Contents</a></h2>
        <div class="toc" id="div-toc">
          <ul>
            <li><a href="#Summary">Tool Overview</a></li>
            <li><a href="#ExecCondition">Tool Operation Overview</a></li>
            <li><a href="#Findings">Information Acquired from Log</a></li>
            <li><a href="#SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></li>
            <li><a href="#KeyEvents">Main Information Recorded at Execution</a></li>
            <li><a href="#SourceDetails">Details: Source Host</a></li>
            <li><a href="#DestinationDetails">Details: Destination Host</a></li>
            <li><a href="#ADDetails">Details: Domain Controller</a></li>
          </ul>
          <p class="toc_command"><a href="#" onclick="collapseall('s');">Open all sections</a> | <a href="#" onclick="collapseall('h');">Close all sections</a></p>
          <hr class="section_divider" />
        </div>
      <h2 class="section"><a href="#Summary" class="collapse" id="a-Summary" onclick="showhide('Summary');">-</a> <a name="Summary">Tool Overview</a></h2>
        <div class="section" id="div-Summary">
          <dl class="table">
            <dt class="table">Category</dt>
              <dd class="table">Password and Hash Dump</dd>
            <dt class="table">Description</dt>
              <dd class="table">Loads Mimikatz into memory and starts it up.</dd>
            <dt class="table">Example of Presumed Tool Use During an Attack</dt>
              <dd class="table">This tool is used to acquire the user&apos;s password and use it for unauthorized login.</dd>
          </dl>
        </div>
      <h2 class="section"><a href="#ExecCondition" class="collapse" id="a-ExecCondition" onclick="showhide('ExecCondition');">-</a> <a name="ExecCondition">Tool Operation Overview</a></h2>
        <div class="section" id="div-ExecCondition">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">Item</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Destination Host</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border_header">OS</td>
                <td class="border" colspan="2">Windows</td>
              </tr>
              <tr class="border">
                <td class="border_header">Belonging to Domain</td>
                <td class="border" colspan="2">Not required</td>
              </tr>
              <tr class="border">
                <td class="border_header">Rights</td>
                <td class="border" colspan="2">Administrator</td>
              </tr>
              <tr class="border">
                <td class="border_header">Communication Protocol</td>
                <td class="border" colspan="2">5985/tcp (HTTP), 5986/tcp (HTTPS)</td>
              </tr>
              <tr class="border">
                <td class="border_header">Service</td>
                <td class="border" colspan="2">Windows Remote Management</td>
              </tr>
            </tbody>
          </table>
        </div>
      <h2 class="section"><a href="#Findings" class="collapse" id="a-Findings" onclick="showhide('Findings');">-</a> <a name="Findings">Information Acquired from Log</a></h2>
        <div class="section" id="div-Findings">
          <dl class="table">
            <dt class="table">Standard Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (Prefetch)</li>
                  <li>Details of the script/command executed (Windows 10 only. They are recorded in &quot;Microsoft-Windows-PowerShell/Operational&quot; and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                  </ul></li>
                </ul></dd>
            <dt class="table">Additional Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>A record of communication using WinRM (5985/tcp) (audit policy, Sysmon)</li>
                  <li>Details of the script/command executed (when Windows Management Framework 5.0 is installed on Windows 7. They are recorded in &quot;Microsoft-Windows-PowerShell/Operational&quot; and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>A record of communication using WinRM (5985/tcp) (audit policy, Sysmon)</li>
                  </ul></li>
                </ul></dd>
          </dl>
        </div>
      <h2 class="section"><a href="#SuccessCondition" class="collapse" id="a-SuccessCondition" onclick="showhide('SuccessCondition');">-</a> <a name="SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></h2>
        <div class="section" id="div-SuccessCondition">
          <ul>
            <li>Source Host: The Event ID: 4104 is recorded in the event log &quot;Microsoft-Windows-PowerShell/Operational&quot;, and its contents include a Invoke-Mimikatz script (Windows 10, or when Windows Management Framework 5.0 is installed on Windows 7).</li>
          </ul>
        </div>
      <h2 class="section"><a href="#KeyEvents" class="collapse" id="a-KeyEvents" onclick="showhide('KeyEvents');">-</a> <a name="KeyEvents">Main Information Recorded at Execution</a></h2>
        <div class="section" id="div-KeyEvents">
          <h3 class="subsection"><a href="#KeyEvents-Source" class="collapse" id="a-KeyEvents-Source" onclick="showhide('KeyEvents-Source');">-</a> <a name="KeyEvents-Source">Source Host</a></h3>
            <div class="section" id="div-KeyEvents-Source">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Microsoft-Windows-WinRM/Operational</td>
                      <td class="border">6</td>
                      <td class="border">WSMan Session Initialize</td>
                      <td class="border">Creating WSMan Session. The connect string is [Connect String].<ul>
                        <li><span class="strong">Connect String</span>: Host name (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                      <td class="border">4104</td>
                      <td class="border">Execute a Remote Command.</td>
                      <td class="border">Creating Scriptblock text.<ul>
                        <li><span class="strong">Message</span>: The content of the script executed. The content of the executed PowerShell script is recorded as is.</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (source host)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (destination port: 5985)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>USN journal</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">File Name</th>
                      <th class="border_header">Process</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">ConsoleHost_history.txt</td>
                      <td class="border">CLOSE+DATA_EXTEND</td>
                    </tr>
                  </tbody>
                </table>
              <h4>UserAssist</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Registry</th>
                      <th class="border_header">Data</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr</td>
                      <td class="border">Date and time of the initial execution, Total number of executions</td>
                    </tr>
                  </tbody>
                </table>
              <h4>MFT</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Path</th>
                      <th class="border_header">Header Flag</th>
                      <th class="border_header">Validity</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">[Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt</td>
                      <td class="border">FILE</td>
                      <td class="border">ALLOCATED</td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf</li>
                </ul>
            </div>
          <h3 class="subsection"><a href="#KeyEvents-Destination" class="collapse" id="a-KeyEvents-Destination" onclick="showhide('KeyEvents-Destination');">-</a> <a name="KeyEvents-Destination">Destination Host</a></h3>
            <div class="section" id="div-KeyEvents-Destination">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (destination port: 5985)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)</li>
                        <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-WinRM/Operational</td>
                      <td class="border">81</td>
                      <td class="border">Processing of Request</td>
                      <td class="border">Processing client request for operation [Operation].<ul>
                        <li><span class="strong">Operation</span>: Requested process (CreateShell)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\WSMPROVHOST.EXE-[RANDOM].pf</li>
                </ul>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#SourceDetails" class="collapse" id="a-SourceDetails" onclick="showhide('SourceDetails');">-</a> <a name="SourceDetails">Details: Source Host</a></h2>
        <div class="section" id="div-SourceDetails">
          <h3 class="subsection"><a href="#SourceDetails-USNJournal" class="collapse" id="a-SourceDetails-USNJournal" onclick="showhide('SourceDetails-USNJournal');">-</a> <a name="SourceDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-SourceDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="6">1</td>
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">3</td>
                    <td class="border">CustomDestinations</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">directory</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">CustomDestinations</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">directory</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="6">4</td>
                    <td class="border">[RANDOM].customDestinations-ms</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms</td>
                    <td class="border">FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms</td>
                    <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms</td>
                    <td class="border">BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">5</td>
                    <td class="border">[RANDOM].customDestinations-ms~RF[RANDOM].TMP</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">hidden+archive+temporary</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms~RF[RANDOM].TMP</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">hidden+archive+temporary</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].customDestinations-ms~RF[RANDOM].TMP</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">hidden+archive+temporary</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">6</td>
                    <td class="border">[RANDOM].ps1</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].ps1</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].ps1</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].ps1</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">7</td>
                    <td class="border">[RANDOM].psm1</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].psm1</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].psm1</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].psm1</td>
                    <td class="border">CLOSE+FILE_DELETE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">8</td>
                    <td class="border">ConsoleHost_history.txt</td>
                    <td class="border">DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">ConsoleHost_history.txt</td>
                    <td class="border">CLOSE+DATA_EXTEND</td>
                    <td class="border">archive</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-EventLogs" class="collapse" id="a-SourceDetails-EventLogs" onclick="showhide('SourceDetails-EventLogs');">-</a> <a name="SourceDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-SourceDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                  <td class="border" rowspan="2">1</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">1</td>
                  <td class="border">Process Create (rule: ProcessCreate)</td>
                  <td class="border">Process Create.<ul>
                    <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                    <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                    <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                    <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                    <li><span class="strong">CommandLine</span>: Command line of the execution command (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;)</li>
                    <li><span class="strong">IntegrityLevel</span>: Privilege level</li>
                    <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                    <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user</li>
                    <li><span class="strong">Hashes</span>: Hash value of the executable file (High)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4688</td>
                  <td class="border">Process Create</td>
                  <td class="border">A new process has been created.<ul>
                    <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                    <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                    <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                    <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">2</td>
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">40961</td>
                  <td class="border">PowerShell Console Startup</td>
                  <td class="border">The PowerShell console is starting up.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">53504</td>
                  <td class="border">PowerShell Named Pipe IPC</td>
                  <td class="border">Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain].</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">40962</td>
                  <td class="border">PowerShell Console Startup</td>
                  <td class="border">PowerShell console is ready for user input</td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="5">3</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">11</td>
                  <td class="border">File created (rule: FileCreate)</td>
                  <td class="border">File created.<ul>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetFilename</span>: Created file (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">2</td>
                  <td class="border">File creation time changed (rule: FileCreateTime)</td>
                  <td class="border">File creation time changed.<ul>
                    <li><span class="strong">UtcTime</span>: Date and time the change occurred (UTC)</li>
                    <li><span class="strong">CreationUtcTime</span>: New timestamp (UTC)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">PreviousCreationUtcTime</span>: Old timestamp (UTC)</li>
                    <li><span class="strong">TargetFilename</span>: Name of the file changed (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="1">4</td>
                  <td class="border">Security</td>
                  <td class="border">4670</td>
                  <td class="border">Authorization Policy Change</td>
                  <td class="border">Permissions on an object were changed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (change successful)</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                  <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                  <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                  <li><span class="strong">Change permissions &gt; New security descriptor</span>: Security descriptor after the change (D:ARAI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;[SID])(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;[SID]))</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Change permissions &gt; Original security descriptor</span>: Security descriptor before the change (D:(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;[SID]))</li>
                  <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">5</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Target category</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="2">6</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~[RANDOM].TMP)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">7</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including SYNCHRONIZE, and WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (SYNCHRONIZE, WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Target category</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="4">8</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[ALPHANUM].customDestinations-ms~[ALPHANUM].TMP)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[ALPHANUM].customDestinations-ms~[ALPHANUM].TMP)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4660</td>
                  <td class="border">File System</td>
                  <td class="border">An object was deleted.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                  <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">9</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                  <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                  <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
                  <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                  <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
                  <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\{[GUID]}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                  <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                  <li><span class="strong">Image</span>: Path to the executable file (C:Windows\Explorer.EXE)</li>
                  <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                  <li><span class="strong">Details</span>: Setting value written to the registry (QWORD)</li>
                  <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{[GUID]}\WindowsPowerShell\v1.0\powershell.exe)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">10</td>
                  <td class="border">Process accessed (rule: ProcessAccess)</td>
                  <td class="border">Process accessed.<ul>
                  <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                  <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                  <li><span class="strong">GrantedAccess</span>: Details of the granted access</li>
                  <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\Explorer.EXE)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="2">10</td>
                  <td class="border">Security</td>
                  <td class="border">4703</td>
                  <td class="border">Token Right Adjusted Events</td>
                  <td class="border">A token right was adjusted.<ul>
                  <li><span class="strong">Disabled Privileges</span>: Privileges that were disabled</li>
                  <li><span class="strong">Target Account &gt; Security ID/Account Name/Account Domain</span>: Target user SID/Account name/Domain</li>
                  <li><span class="strong">Target Account &gt; Logon ID</span>: Session ID of the target user</li>
                  <li><span class="strong">Enabled Privileges</span>: Enabled privileges (SeDebugPrivilege)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Process Information &gt; Process ID</span>: ID of the executed process</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the executed process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4673</td>
                  <td class="border">Sensitive Privilege Use</td>
                  <td class="border">A privileged service was called.<ul>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Process &gt; Process ID</span>: ID of the process that used the privilege</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Service Request Information &gt; Privilege</span>: Privilege used (SeCreateGlobalPrivilege)</li>
                  <li><span class="strong">Process &gt; Process Name</span>: Process that used the privilege (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">11</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="2">12</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="4">13</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4660</td>
                  <td class="border">File System</td>
                  <td class="border">An object was deleted.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                  <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="4">14</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\Administrator\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4660</td>
                  <td class="border">File System</td>
                  <td class="border">An object was deleted.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                  <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="1">15</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                  <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                  <li><span class="strong">Image</span>: Path to the executable file (C:Windows\Explorer.EXE)</li>
                  <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                  <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
                  <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\{[GUID]}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">16</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed. (The handle to an object was closed.)<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="3">17</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested. (A handle to an object was requested.)<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="1">18</td>
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">4104</td>
                  <td class="border">Execute a Remote Command.</td>
                  <td class="border">Creating Scriptblock text.<ul>
                  <li><span class="strong">Message</span>: The content of the script executed. The content of the executed PowerShell script is recorded as is.</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <td class="border" rowspan="25">19</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">2</td>
                  <td class="border">File creation time changed (rule: FileCreateTime)</td>
                  <td class="border">File creation time changed.<ul>
                  <li><span class="strong">UtcTime</span>: Date and time the change occurred (UTC)</li>
                  <li><span class="strong">CreationUtcTime</span>: New timestamp (UTC)</li>
                  <li><span class="strong">Image</span>: Path to the executable file</li>
                  <li><span class="strong">PreviousCreationUtcTime</span>: Old timestamp (UTC)</li>
                  <li><span class="strong">TargetFilename</span>: Name of the file changed</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">29</td>
                  <td class="border">WSMan API Initialize</td>
                  <td class="border">Initializing the WSMan API completed successfully.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">6</td>
                  <td class="border">WSMan Session Initialize</td>
                  <td class="border">Creating WSMan Session. The connect string is [Connect String].<ul>
                  <li><span class="strong">Connect String</span>: Host name (source host)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">31</td>
                  <td class="border">WSMan Session Initialize</td>
                  <td class="border">WSMan Create Session operation completed successfully</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (34)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_USE_INTEARACTIVE_TOKEN)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (26)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_UI_LANGUAGE)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (25)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_LOCALE)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (1)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_DEFAULT_OPERATION_TIMEOUTMS)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (12)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_TIMEOUTMS_CREATE_SHELL)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (17)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_TIMEOUTMS_CLOSE_SHELL)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (16)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_TIMEOUTMS_SIGNAL_SHELL)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">11</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Creating a WSMan shell with the resource URI http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd and ShellId Unspecified.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">10</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Setting WSMan Session Option ([Option Number]) with value ([Value]) completed successfully<ul>
                  <li><span class="strong">Option Number</span>: Option number for the setting target (28)</li>
                  <li><span class="strong">Value</span>: Value set (WSMAN_OPTION_MAX_ENVELOPE_SIZE_KB)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">13</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Executing the WSMan command of CommandId Unspecified.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8193</td>
                  <td class="border">Connect</td>
                  <td class="border">Creating Runspace object.<ul>
                  <li><span class="strong">Instance ID</span>: Instance ID of the object</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8194</td>
                  <td class="border">Connect</td>
                  <td class="border">Creating RunspacePool object.<ul>
                  <li><span class="strong">Instance ID</span>: Instance ID of the object</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8195</td>
                  <td class="border">Connect</td>
                  <td class="border">Opening RunspacePool.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8197</td>
                  <td class="border">Connect</td>
                  <td class="border">Runspace state changed to [State].<ul>
                  <li><span class="strong">State</span>: State of the runspace (Opening)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8196</td>
                  <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
                  <td class="border">Modifying activity ID and correlating.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">12039</td>
                  <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
                  <td class="border">Modifying activity ID and correlating.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8196</td>
                  <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
                  <td class="border">Modifying activity ID and correlating.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">12039</td>
                  <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
                  <td class="border">Modifying activity ID and correlating.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8196</td>
                  <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
                  <td class="border">Modifying activity ID and correlating.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">12039</td>
                  <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
                  <td class="border">Modifying activity ID and correlating.</td>
                  </tr>
                  <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                  <td class="border">8197</td>
                  <td class="border">Connect</td>
                  <td class="border">Runspace state changed to [State].<ul>
                  <li><span class="strong">State</span>: State of the runspace (Opened)</li>
                  </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">20</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">21</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">22</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">23</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">24</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (5985)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">25</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (5985)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">26</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (5985)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">27</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (5985)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">28</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">12</td>
                    <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                    <td class="border">Registry object added or deleted.<ul>
                      <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="10">29</td>
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">15</td>
                    <td class="border">WSMan API Call</td>
                    <td class="border">Closing WSMan command</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-WinRM/Operational</td>
                  <td class="border">16</td>
                  <td class="border">WSMan API Call</td>
                  <td class="border">Closing WSMan shell</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Microsoft-Windows-WinRM/Operational</td>
                <td class="border">8</td>
                <td class="border">WSMan Session Uninitialize</td>
                <td class="border">Closing WSMan session</td>
            </tr>
            <tr class="border">
              <!-- rowspan -->
              <td class="border">Microsoft-Windows-WinRM/Operational</td>
              <td class="border">4</td>
              <td class="border">WSMan API Uninitialize</td>
              <td class="border">Uninitializing WSMan API</td>
          </tr>
          <tr class="border">
            <!-- rowspan -->
            <td class="border">Microsoft-Windows-WinRM/Operational</td>
            <td class="border">30</td>
            <td class="border">WSMan API Uninitialize</td>
            <td class="border">Uninitializing WSMan API completed successfully</td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-WinRM/Operational</td>
          <td class="border">33</td>
          <td class="border">WSMan Session Initialize</td>
          <td class="border">The operation for closing the WSMan session completed successfully.</td>
      </tr>
      <tr class="border">
        <!-- rowspan -->
        <td class="border">Microsoft-Windows-PowerShell/Operational</td>
        <td class="border">8196</td>
        <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
        <td class="border">Modifying activity ID and correlating.</td>
    </tr>
    <tr class="border">
      <!-- rowspan -->
      <td class="border">Microsoft-Windows-PowerShell/Operational</td>
      <td class="border">12039</td>
      <td class="border">PowerShell (Microsoft-Windows-PowerShell)</td>
      <td class="border">Modifying activity ID and correlating.</td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Microsoft-Windows-PowerShell/Operational</td>
    <td class="border">8197</td>
    <td class="border">Connect</td>
    <td class="border">Runspace state changed to [State].</td>
</tr>
<tr class="border">
  <!-- rowspan -->
  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
  <td class="border">8197</td>
  <td class="border">Connect</td>
  <td class="border">Runspace state changed to [State].</td>
</tr>
<tr class="border">
<td class="border" rowspan="3">30</td>
<td class="border">Security</td>
<td class="border">4656</td>
<td class="border">File System/Other Object Access Events</td>
<td class="border">A handle to an object was requested.<ul>
<li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
<li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
<li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
<li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)</li>
<li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
<li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
<li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
<li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
</ul></td>
</tr>
<tr class="border">
<!-- rowspan -->
<td class="border">Security</td>
<td class="border">4663</td>
<td class="border">File System</td>
<td class="border">An attempt was made to access an object.<ul>
<li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
<li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
<li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
<li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)</li>
<li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
<li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
<li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
<li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
<li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
</ul></td>
</tr>
<tr class="border">
<!-- rowspan -->
<td class="border">Security</td>
<td class="border">4658</td>
<td class="border">File System</td>
<td class="border">The handle to an object was closed.<ul>
<li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
<li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
<li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
<li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
<li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
</ul></td>
</tr>
<tr class="border">
<td class="border" rowspan="2">31</td>
<td class="border">Microsoft-Windows-Sysmon/Operational</td>
<td class="border">5</td>
<td class="border">Process terminated (rule: ProcessTerminate)</td>
<td class="border">Process terminated.<ul>
<li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
<li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
<li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
</ul></td>
</tr>
<tr class="border">
<!-- rowspan -->
<td class="border">Security</td>
<td class="border">4689</td>
<td class="border">Process Termination</td>
<td class="border">A process has exited.<ul>
<li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
<li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
<li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0xc000013a)</li>
<li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
<li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
<li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
<li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
<li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
<li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
</ul></td>
</tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-UserAssist" class="collapse" id="a-SourceDetails-UserAssist" onclick="showhide('SourceDetails-UserAssist');">-</a> <a name="SourceDetails-UserAssist">UserAssist</a></h3>
<div class="section" id="div-SourceDetails-UserAssist">
<table class="border">
<thead>
<tr class="border">
<th class="border_header">#</th>
<th class="border_header">Registry entry</th>
<th class="border_header">Information That Can Be Confirmed</th>
</tr>
</thead>
<tbody>
<tr class="border">
<td class="border" rowspan="1">1</td>
<td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr</td>
<td class="border">Date and time of the initial execution, Total number of executions</td>
</tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-MFT" class="collapse" id="a-SourceDetails-MFT" onclick="showhide('SourceDetails-MFT');">-</a> <a name="SourceDetails-MFT">MFT</a></h3>
<div class="section" id="div-SourceDetails-MFT">
<table class="border">
<thead>
<tr class="border">
<th class="border_header">#</th>
<th class="border_header">Path</th>
<th class="border_header">Header Flag</th>
<th class="border_header">Validity</th>
</tr>
</thead>
<tbody>
<tr class="border">
<td class="border" rowspan="1">1</td>
<td class="border">[Drive Name]:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf</td>
<td class="border">FILE</td>
<td class="border">ALLOCATED</td>
</tr>
<tr class="border">
<td class="border" rowspan="1">2</td>
<td class="border">[Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations</td>
<td class="border">FOLDER</td>
<td class="border">ALLOCATED</td>
</tr>
<tr class="border">
<td class="border" rowspan="1">3</td>
<td class="border">[Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms</td>
<td class="border">FILE</td>
<td class="border">ALLOCATED</td>
</tr>
<tr class="border">
<td class="border" rowspan="1">4</td>
<td class="border">[Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt</td>
<td class="border">FILE</td>
<td class="border">ALLOCATED</td>
</tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-Prefetch" class="collapse" id="a-SourceDetails-Prefetch" onclick="showhide('SourceDetails-Prefetch');">-</a> <a name="SourceDetails-Prefetch">Prefetch</a></h3>
<div class="section" id="div-SourceDetails-Prefetch">
<table class="border">
<thead>
<tr class="border">
<th class="border_header">#</th>
<th class="border_header">Prefetch File</th>
<th class="border_header">Process Name</th>
<th class="border_header">Process Path</th>
<th class="border_header">Information That Can Be Confirmed</th>
</tr>
</thead>
<tbody>
<tr class="border">
<td class="border" rowspan="1">1</td>
<td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
<td class="border">POWERSHELL.EXE</td>
<td class="border">\VOLUME{[GUID]}\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE</td>
<td class="border">Last Run Time (last execution date and time)</td>
</tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-Registry" class="collapse" id="a-SourceDetails-Registry" onclick="showhide('SourceDetails-Registry');">-</a> <a name="SourceDetails-Registry">Registry Entry</a></h3>
<div class="section" id="div-SourceDetails-Registry">
<table class="border">
<thead>
<tr class="border">
<th class="border_header">#</th>
<th class="border_header">Path</th>
<th class="border_header">Type</th>
<th class="border_header">Value</th>
</tr>
</thead>
<tbody>
<tr class="border">
<td class="border" rowspan="1">1</td>
<td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr</td>
<td class="border">Binary</td>
<td class="border">[Binary Value]</td>
</tr>
<tr class="border">
<td class="border" rowspan="1">2</td>
<td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe</td>
<td class="border">Binary</td>
<td class="border">[Binary Value]</td>
</tr>
</tbody>
</table>
</div>
</div>
      <h2 class="section"><a href="#DestinationDetails" class="collapse" id="a-DestinationDetails" onclick="showhide('DestinationDetails');">-</a> <a name="DestinationDetails">Details: Destination Host</a></h2>
        <div class="section" id="div-DestinationDetails">
          <h3 class="subsection"><a href="#DestinationDetails-EventLogs" class="collapse" id="a-DestinationDetails-EventLogs" onclick="showhide('DestinationDetails-EventLogs');">-</a> <a name="DestinationDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-DestinationDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="3">1</td>
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">169</td>
                    <td class="border">User Authentication</td>
                    <td class="border">User [User Name] authenticated successfully using [Authentication Method] authentication<ul>
                      <li><span class="strong">User Name</span>: User name used</li>
                      <li><span class="strong">Authentication Method</span>: Authentication method used (Kerberos)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: File type (Unknown)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (5985)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">3</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected. (Network connection detected)<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected. (Network connection detected)<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">5</td>
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\wsmprovhost.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">6</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (5985)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">7</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc.</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: File type (Unknown)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="6">8</td>
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">193</td>
                    <td class="border">User Approval</td>
                    <td class="border">A request for the user is made using a WinRM virtual account.<ul>
                      <li><span class="strong">User Information</span>: Information of the user</li>
                      <li><span class="strong">Virtual Account</span>: WinRM virtual account to be used</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (CreateShell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Shell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (CreateShell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="19">9</td>
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">169</td>
                    <td class="border">User Authentication</td>
                    <td class="border">User [User Name] authenticated successfully using [Authentication Method] authentication<ul>
                      <li><span class="strong">User Name</span>: User name used</li>
                      <li><span class="strong">Authentication Method</span>: Authentication method used (Kerberos)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">193</td>
                    <td class="border">User Approval</td>
                    <td class="border">A request for the user is made using a WinRM virtual account.<ul>
                      <li><span class="strong">User Information</span>: Information of the user</li>
                      <li><span class="strong">Virtual Account</span>: WinRM virtual account to be used</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Shell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">10</td>
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">11</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on. (An account successfully logged on.)<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc.</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: File type (Unknown)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">12</td>
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (5985)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">13</td>
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on. (An account successfully logged on.)<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: File type (Unknown)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="20">14</td>
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Command)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Command)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Command)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Command)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">169</td>
                    <td class="border">User Authentication</td>
                    <td class="border">User [User Name] authenticated successfully using [Authentication Method] authentication<ul>
                      <li><span class="strong">User Name</span>: User name used</li>
                      <li><span class="strong">Authentication Method</span>: Authentication method used (Kerberos)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">193</td>
                    <td class="border">User Approval</td>
                    <td class="border">A request for the user is made using a WinRM virtual account.<ul>
                      <li><span class="strong">User Information</span>: Information of the user</li>
                      <li><span class="strong">Virtual Account</span>: WinRM virtual account to be used</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Send)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Send)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Send)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Send)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">169</td>
                    <td class="border">User Authentication</td>
                    <td class="border">User [User Name] authenticated successfully using [Authentication Method] authentication<ul>
                      <li><span class="strong">User Name</span>: User name used</li>
                      <li><span class="strong">Authentication Method</span>: Authentication method used (Kerberos)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">193</td>
                    <td class="border">User Approval</td>
                    <td class="border">A request for the user is made using a WinRM virtual account.<ul>
                      <li><span class="strong">User Information</span>: Information of the user</li>
                      <li><span class="strong">Virtual Account</span>: WinRM virtual account to be used</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Send)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">15</td>
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Advapi)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (5)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Negotiate)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">16</td>
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4674</td>
                    <td class="border">Sensitive Privilege Use</td>
                    <td class="border">An operation was attempted on a privileged object.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Name of the object to be processed (\BaseNamedObjects\LOADPERF_MUTEX)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: Service that executed the process</li>
                      <li><span class="strong">Requested operation &gt; Privileges</span>: Requested privileges (SeTakeOwnershipPrivilege)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the object to be processed (Mutant)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4674</td>
                    <td class="border">Sensitive Privilege Use</td>
                    <td class="border">An operation was attempted on a privileged object.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Name of the object to be processed</li>
                      <li><span class="strong">Object &gt; Object Server</span>: Service that executed the process</li>
                      <li><span class="strong">Requested operation &gt; Privileges</span>: Requested privileges (SeTakeOwnershipPrivilege)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the object to be processed</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">17</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (5985)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">18</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">12</td>
                    <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                    <td class="border">Registry object added or deleted.<ul>
                      <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\wsmprovhost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">19</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32\)</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (System)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">20</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">12</td>
                    <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                    <td class="border">Registry object added or deleted.<ul>
                      <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\wsmprovhost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">21</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (5985)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">22</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\WSMPROVHOST.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\WSMPROVHOST.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4673</td>
                    <td class="border">Sensitive Privilege Use</td>
                    <td class="border">A privileged service was called.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process &gt; Process ID</span>: ID of the process that used the privilege</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Service Request Information &gt; Privilege</span>: Privileges used (SeTcbPrivilege)</li>
                      <li><span class="strong">Process &gt; Process Name</span>: Process that used the privileges (C:\Windows\System32\wsmprovhost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4673</td>
                    <td class="border">Sensitive Privilege Use</td>
                    <td class="border">A privileged service was called.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process &gt; Process ID</span>: ID of the process that used the privilege</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Service Request Information &gt; Privilege</span>: Privileges used (SeTcbPrivilege)</li>
                      <li><span class="strong">Process &gt; Process Name</span>: Process that used the privileges (C:\Windows\System32\wsmprovhost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">23</td>
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off. (An account was logged off.)<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="14">24</td>
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Send)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Signal)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used (entering the plug-in for executing the Signal operation. ResourceURI <http:/>schemas.microsoft.com/powershell/Microsoft.PowerShell&gt; is used.)<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (Signal)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Signal)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (Signal)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">192</td>
                    <td class="border">User Approval</td>
                    <td class="border">Authorizing the user<ul>
                      <li><span class="strong">Error</span>: Error code</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">81</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Processing client request for operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (DeleteShell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">82</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.<ul>
                      <li><span class="strong">URL</span>: URL of the resource (http://schemas.microsoft.com/powershell/Microsoft.PowerShell)</li>
                      <li><span class="strong">Operation</span>: Requested process (DeleteShell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">141</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending the operation timeout response: [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">83</td>
                    <td class="border">Processing of Request</td>
                    <td class="border">Coming out of the plug-in for executing the operation [Operation].<ul>
                      <li><span class="strong">Operation</span>: Requested process (DeleteShell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (Receive)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-WinRM/Operational</td>
                    <td class="border">134</td>
                    <td class="border">Response Processing</td>
                    <td class="border">Sending response for operation [Operation]<ul>
                      <li><span class="strong">Operation</span>: Process performed (DeleteShell)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">25</td>
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\wsmprovhost.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\wsmprovhost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">26</td>
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-USNJournal" class="collapse" id="a-DestinationDetails-USNJournal" onclick="showhide('DestinationDetails-USNJournal');">-</a> <a name="DestinationDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-DestinationDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">WSMPROVHOST.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-MFT" class="collapse" id="a-DestinationDetails-MFT" onclick="showhide('DestinationDetails-MFT');">-</a> <a name="DestinationDetails-MFT">MFT</a></h3>
            <div class="section" id="div-DestinationDetails-MFT">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Path</th>
                    <th class="border_header">Header Flag</th>
                    <th class="border_header">Validity</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">[Drive Name]:\Windows\Prefetch\WSMPROVHOST.EXE-[RANDOM].pf</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#DestinationDetails-Prefetch" class="collapse" id="a-DestinationDetails-Prefetch" onclick="showhide('DestinationDetails-Prefetch');">-</a> <a name="DestinationDetails-Prefetch">Prefetch</a></h3>
            <div class="section" id="div-DestinationDetails-Prefetch">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Prefetch File</th>
                    <th class="border_header">Process Name</th>
                    <th class="border_header">Process Path</th>
                    <th class="border_header">Information That Can Be Confirmed</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">WSMPROVHOST.EXE-[RANDOM].pf</td>
                    <td class="border">WSMPROVHOST.EXE</td>
                    <td class="border">C:\WINDOWS\SYSTEM32\WSMPROVHOST.EXE</td>
                    <td class="border">Last Run Time (last execution date and time)</td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
      <h2 class="section"><a href="#ADDetails" class="collapse" id="a-ADDetails" onclick="showhide('ADDetails');">-</a> <a name="ADDetails">Details: Domain Controller</a></h2>
        <div class="section" id="div-ADDetails">
          <h3 class="subsection"><a href="#ADDetails-EventLogs" class="collapse" id="a-ADDetails-EventLogs" onclick="showhide('ADDetails-EventLogs');">-</a> <a name="ADDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-ADDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">3</td>
                    <td class="border">Security</td>
                    <td class="border">4768</td>
                    <td class="border">Kerberos Authentication Service</td>
                    <td class="border">A Kerberos authentication ticket (TGT) was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (destination host IP address)</li>
                      <li><span class="strong">Account Information &gt; Supplied Realm Name</span>: Domain of the account</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810010)</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Result Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      <li><span class="strong">Account Information &gt; User ID</span>: SID of the account</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">5</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Domain of the account</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810010)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Service name of the ticket</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">6</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">7</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Domain of the account</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810010)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Service name of the ticket</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">8</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
  </body>
</html>
